Stress test results have shown that the insurance industry’s exposure to cyber risk is material, with potential cyber event losses comparable to those caused by large natural catastrophes. However, the PRA found “material divergence in expertise, data, models and parametrisation in the estimation of both ‘affirmative’ and ‘non-affirmative’ cyber claims” across the industry. To build supervisory confidence, insurers will need to demonstrate robust modelling approaches and show that they are taking steps to reduce existing uncertainties related to cyber risk modelling. Insurers should also be prepared to explain and document the validity of their approach, including in particular how they have validated key cyber models.
Modelling cyber risk is inherently challenging due to the lack of readily available and standardised cyber incident data, compounded by the rapidly changing nature of the cyber risks. In our view, improving data collection and use capabilities should therefore be key priorities for firms. A positive supervisory indicator, providing confidence to a firm’s supervisor that the firm has a good grasp of these issues, could for example include developing a data organisation approach that ensures consistent use of in-house data, and implementing it across different classes of business. On the other hand, evidence that a firm has no single view of cyber terminology could make the firm more likely to face increased supervisory scrutiny over data and modelling issues.
A second key area of focus for firms should be to identify, challenge and manage subjective modelling assumptions. Our research suggests that firms currently rely heavily on subjective expert judgments for their cyber modelling. Subjective assumptions are likely to require more frequent re-validation and challenge to ensure they remain appropriate and still fit the firm’s cyber risk profile. Supervisors will apply further scrutiny if boards do not apply a sufficient and appropriate degree of challenge, for example if they see boards relying without challenge on the views of cyber specialists when discussing and making decisions on cyber risk issues.
Our recent report on Cyber insurance underwriting explores these cyber data and modelling issues in more depth and also explores silent cyber risks and managing cyber tail risks. We explore key risks and actions for firms, positive and negative indicators that supervisors may look for as they evaluate firms’ maturity in dealing with key cyber risk issues, challenge questions boards can put to their organisation, and a checklist of next steps for firms.
There was material divergence in expertise, data, models and parametrisation in the estimation of both ‘affirmative’ and ‘non-affirmative’ cyber claims.